My name is danah boyd and I'm a Principal Researcher at Microsoft Research and the founder/president of Data & Society. Buzzwords in my world include: privacy, context, youth culture, social media, big data. I use this blog to express random thoughts about whatever I'm thinking.

Archive

How Parents Normalized Teen Password Sharing

In 2005, I started asking teenagers about their password habits. My original set of questions focused on teens’ attitudes about giving their password to their parents, but I quickly became enamored with teens’ stories of sharing passwords with friends and significant others. So I was ecstatic when Pew Internet & American Life Project decided to survey teens about their password sharing habits. Pew found that one third of online 12-17 year olds share their password with a friend or significant other and that almost half of those 14-17 do. I love when data gets reinforced.

Last week, Matt Richtel at the New York Times did a fantastic job of covering one aspect of why teens share passwords: as a show of affection. Indeed, I have lots of fun data that supports Richtel’s narrative — and complicates it. Consider Meixing’s explanation for why she shares her password with her boyfriend:

Meixing, 17, TN: It made me feel safer just because someone was there to help me out and stuff. It made me feel more connected and less lonely. Because I feel like Facebook sometimes it kind of like a lonely sport, I feel, because you’re kind of sitting there and you’re looking at people by yourself. But if someone else knows your password and stuff it just feels better.

For Meixing, sharing her password with her boyfriend is a way of being connected. But it’s precisely these kinds of narratives that have prompted all sorts of horror by adults over the last week since that NYTimes article came out. I can’t count the number of people who have gasped “How could they!?!” at me. For this reason, I feel the need to pick up on an issue that the NYTimes let out.

The idea of teens sharing passwords didn’t come out of thin air. In fact, it was normalized by adults. And not just any adult. This practice is the product of parental online safety norms. In most households, it’s quite common for young children to give their parents their passwords. With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over, using explanations like “because I’m your mother.” But many parents use the language of “trust” to explain why teens should share their passwords with them.

There are different ways that parents address the password issue, but they almost always build on the narrative of trust. (Tangent: My favorite strategy is when parents ask children to put passwords into a piggy bank that must be broken for the paper with the password to be retrieved. Such parents often explain that they don’t want to access their teens’ accounts, but they want to have the ability to do so “in case of emergency.” A piggy bank allows a social contract to take a physical form.)

When teens share their passwords with friends or significant others, they regularly employ the language of trust, as Richtel noted in his story. Teens are drawing on experiences they’ve had in the home and shifting them into their peer groups in order to understand how their relationships make sense in a broader context. This shouldn’t be surprising to anyone because this is all-too-common for teen practices. Household norms shape peer norms.

There’s another thread here that’s important. Think back to the days in which you had a locker. If you were anything like me and my friends, you gave out your locker combination to your friends and significant others. There were varied reasons for doing so. You wanted your friends to pick up a book for you when you left early because you were sick. You were involved in a club or team where locker decorating was common. You were hoping that your significant other would leave something special for you. Or – to be completely and inappropriately honest – you left alcohol in your locker and your friends stopped by for a swig. (One of my close friends was expelled for that one.) We shared our locker combinations because they served all sorts of social purposes, from the practical to the risqué.

How are Facebook passwords significantly different than locker combos? Truth be told, for most teenagers, they’re not. Teens share their passwords so that their friends can check their messages for them when they can’t get access to a computer. They share their passwords so their friends can post the cute photos. And they share their passwords because it’s a way of signaling an intimate relationship. Just like with locker combos.

Can password sharing be abused? Of course. I’ve heard countless stories of friends “punking” one another by leveraging password access. And I’ve witnessed all sorts of teen relationship violence where mandatory password sharing is a form of surveillance and abuse. But, for most teens, password sharing is as risky as locker combo sharing. This is why, even though 1/3 of all teens share their passwords, we only hear of scattered horror stories.

I know that this practice strikes adults as seriously peculiar, but it irks me when adults get all judgmental on this teen practice, as though it’s “proof” that teens can’t properly judge how trustworthy a relationship is. First, it’s through these kinds of situations where they learn. Second, adults are dreadful at judging their own relationships (see: divorce rate) so I don’t have a lot of patience for the high and mighty approach. Third, I’m much happier with teens sharing passwords as a form of intimacy than sharing many other things.

There’s no reason to be aghast at teen password sharing. Richtel’s story is dead-on. It’s pretty darn pervasive. But it also makes complete sense given how notions of trust have been constructed for many teens.

24 comments to How Parents Normalized Teen Password Sharing

Thank you for this– I had the same immediate reaction to the Times article. I have a hard time seeing how sharing facebook passwords is substantially different than sharing a locker combination. In fact, I really think that’s it’s safer– the password can be changed easily when the relationship dissolves.

It’s not so different from sharing an email address, either, and a lot of adults do that, as I discovered in my last job. I grew up in a family of seven – each parent had an email address, and the five children shared one. Now we all have several of our own and I can’t imagine sharing one with someone else, but many married couples (and their children) do.

You can argue that a marriage/email address is likely to last longer than a high school relationship, but the differences are enough that it doesn’t much matter. The Facebook account is only in one person’s name, and if a relationship breaks down (whether platonic or romantic) they can change the password. It’s harder to change your email address than it is to change your password.

So, in other words, phishing is now obsolete because we live in a society where one can just ask for a passphrase from someone and get it?

Lovely. This just reinforces the phenomenon that World of Warcraft can use a stronger authentication mechanism (two factor authentication with a physical token) than most banks and corporate webmail services (Googleable usernames and crappy passwords).

That slapping sound you hear is most of the infosec community facepalming.

Echoing the thanks for letting us hear these teenagers’ voices. Your research is an anodyne for the irritation of listening/reading the paranoid and paternal c$#p put forward in so many other places.

Have you done any work on how these individual translate or transfer their expectations and practices when them move from the social and personal realms to the workplace? When I read this, my first thought, was that there might be issues when these teenagers join the workforce. They will be told to keep their passwords to themselves for security and/or privacy protection of the data to which they have access. How will this message be received and applied?

We had pretty strong privacy norms in the household I grew up in, so the practice seems weird to me, probably for exactly the reasons you mention. But there are a lot of ways that older people use the internet that seem equally weird to me — married couples sharing an email address, for instance.

I love the piggy bank idea, though. It does seem important to have a way of getting access to passwords, e.g. if a person is hospitalized or dies.

John Wunderlich writes: “there might be issues when these teenagers join the workforce. They will be told to keep their passwords to themselves […] How will this message be received and applied?”

Good point. I used to share my locker combination as a high schooler. Now, at work, I’m always at a loss what to do. Do I lock my office? Do I make a copy of the key and give it to my co-workers? What about my car? Lock the doors or leave them open? This stuff is all so difficult to figure out!

I find the piggy bank idea interesting–particularly your description of it as a social contract made physical. This is a Sumerian contract envelope, a clay ball containing tokens that represented individual items owed in a pre-literacy society. Later, images depicting the contents would be applied to the outside, which, centuries later, would become ever more stylized and led to cuneiform writing, which was used up until we stopped writing on clay tablets. Neat.

Wouldn’t the infosec people look at this and say that the password delegates too much authority? There’s a difference between what people want to give their friends access to, and what they end up granting access to when they share a password.

The piggybank example is wonderful in that regard. The parent (and child, perhaps) wants an emergency “out” in case they forget the password. The piggybank is a mechanism for that that doesn’t provide full access to the account. (It doesn’t work if the child changes the password, though! I would suggest having an address solely for kids’ password recovery, and put the password for THAT into the piggybank).

Similarly, the teenager wants to share passwords so their bf/gf can read their e-mail, or see everything they have on FB, or whatever. But the only thing they can do is delegate full control to the possessor of that password – their friend can now impersonate them in e-mail or on facebook. There’s probably a rich variety of things they are really wanting to do: i might want to delegate the ability to update statuses but not post photos on fb, or post anything but not change my settings (or change my password, notably…), or read but not send mail, etc.

Some tools are good at managing this (Outlook lets you selectively delegate certain privileges, for instance) and operating system software has been aware of this for a while now (administrator/root vs. user privileges). Some internet services have figured out that there’s a difference between authorizing a user to access certain aspects of a service and giving them the password to do anything you can do.

But most do not provide the ability to differentiate the level of access – to provide access without sharing full control.

It’s all fun and games and fuzzies until the wrong person gets the password. Then someone finds that their Facebook password was changed, and the email address associated with the account is changed also, so that the owner of the account is locked out and can’t recover the password. Meanwhile, the person that took control of the account can post anything they want, any picture or video they want, no matter how embarrassing (or illegal) it is.

I share all of my passwords with my wife, so I do understand why teen do this. It builds trust and intimacy. We also share some accounts email online banking ebay and paypal. Sometime it just makes thing easier.

Along similar lines what Gary said above, I’d be curious as to how the sensible parental discussions around passwords go regarding passwords for accounts with, say, more direct financial consequences. I can imagine having the “Facebook password is like a high school locker combination – possibly shareable with your friends” conversation, but I can also imagine having a “debit card pin number is like a safe deposit box key – not shareable” discussion. I suspect that learning about the difference, and any gradual transition to “mature” use of passwords, where most or all are treated like debit card pin numbers, is part of the overall maturation that teens do as they become young adults. But I don’t (yet) have kids, so I haven’t witnessed that transition myself.

affection…. whatevs. To me trust means you are ok with relinquishing control of X to me for practical purposes. (I trust you to take out the garbage is much different than I trust you not to gossip about my mistakes and flaws). How is sharing passwords practical? If I am in a situation where I am asked for my password my and every-ones first though should be something like, “What, you don’t trust me?”. I guess it can be perceived differently If I was to perhaps instruct someone I trust to do something on my behalf where they would need my password. I guess that perspective applied to this article is kind of cart before the horse. I trust them to do this thing on my behalf therefore I give them my password. Not I give them my password so they can do things on my behalf just encase I’m dead maybe.

WRONG!!!!!!!!
The equality you state is in fact an inequality. The potential consequences of sharing a facebook password over sharing a locker combination are complete different in severity — to claim equality merely shows a lack of understanding. Next you will tell young people that it is ok to give their new boy/girl friend their credit/debit card and PIN, because it will build trust.
Listening to pyschobabble like this is a huge part of the problem that people face in keeping themselves safe online — it matches what many of their peers say, so they want to listen. Unfortunately it is wrong,and dangerous.

The take-away is that parents need to wrap the conversation in something other than trust. The reason for passwords and for NOT sharing them is something that will be part of their adult and professional life. Early-year desensitization to the importance of protecting passwords is as much a disservice to a child as is teaching them to think that the world isn’t competitive, that everyone is a winner, or that equal outcome happens anywhere outside of public education.

@Douglas Turner
I think you mistake the observations and descriptions of teen behaviour, by the author, with her recommending security practices. Recording behaviour, an how it’s interpreted by the teens among themselves, is hardly psychobabble.

She’s also pointing out that children and teens learn computing habits from their parents, and transfer those habits and behaviours to their peer group when that peer group becomes as important to them as their parents.

I remember sharing locker combos – the parallel is a good one, with the caveat that your shared locker combo couldn’t embarrass you to your entire social circle the way a hacked FB account could.

Hmm — applying the analogy of passwords are like underwear (don’t share, change often, keep private, don’t leave lieing around, etc) — I guess I would rather my teenage sons share a password than their underwear…

But the better point is the parents’ influence in essentially desensitizing teens to the importance of a password and protecting their privacy. I like the idea of the piggy bank to help distinguish the need or appropriateness for a parent to have access to the account of a minor for who they’re responsible.

Maybe Facebook (and similar services) should add a “Delegate” access, similar to some email systems. For example, my assistant can schedule a meeting on my behalf, but people can see that she scheduled it. I could also grant access for her to send email on my behalf, but again, it would indicate, “Sent by: …..” So – a Social Networking post or photo that indicates “posted by: … the significant other…” would be an elevated level of “trust” without inappropriate exposure of privacy.

The equality you state is in fact an inequality. The potential consequences of sharing a facebook password over sharing a locker combination are complete different in severity — to claim equality merely shows a lack of understanding.

Oh, I don’t know. What if Danah’s friend had put the booze in Danah’s locker. Or somebody put a gun in there? There are plenty of evil consequences on both sharing types.

I would also suggest that sharing electronic space is less likely to result in disaster than sharing physical space – embarrassment, definitely, disaster? I certainly hope that kids find it easier to get hold of booze than, say, child porn images. Or guns, although I appreciate this may not hold in all jurisdictions.

subscribe to apopheniaLeave This Blank:Leave This Blank Too:Do Not Change This: